Experts have discovered an apparently benign Mario graphic package that uses steganography to conceal the malicious code for GrandCrab ransomware. The campaign is being run in Italy at the moment but experts believe that it’s soon going to spread to other countries as well. Initially, targets receive an excel sheet via email that won’t open online and requires the user to enable edit and enable content. Once the content is enabled, its macros will be triggered that check if the computer is conﬁgured to use the Italy region. If not, it will exit the spreadsheet and nothing else happens. Otherwise, a Mario image is downloaded as shown below:
The image hides malicious code using steganography, in conjunction with heavily obfuscated Microsoft PowerShell commands that attackers have hidden within the color channels of blue and green pixels. This technique makes the threat hard to be detected by ﬁrewall and other defense systems. Experts were able to download the samples from the address in the de-obfuscated Powershell, including from an Italy-based VPN, and discovered several samples of the Gandcrab ransomware.
When the malware detonates, the usual macro-based launch of cmd.exe and PowerShell with obfuscated arguments is seen.
The decoded image looks like this:
Another large string (base64 encoded) is then observed which is sliced/diced into 40 parts. This can be reassembled:
As researchers further analyzed the codes, multiple layers of still more mildly obfuscated PowerShell were found.
On successful infection by the GrandCrab ransomware, ﬁles on the targeted machine are encrypted and the following ransom note is found on the device.
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
3849381059d9e8bbcc59c253d2cbe1c92f7e1f1992b752d396e349892f2bb0e7 2726cd6796774521d03a5f949e10707424800882955686c886d944d2b2a61e0 0c8c27f06a0acb976b8f12ﬀ6749497d4ce1f7a98c2a161b0a9eb956e6955362 ec2a7e8da04bc4e60652d6f7cc2d41ec68ﬀ900d39fc244cc3b5a29c42acb7a4 630b6f15c770716268c539c5558152168004657beee740e73ee9966d6de1753f
Block the threat indicators at their respective controls.
Strictly avoid downloading and opening document ﬁles received via unexpected emails.